I would like to know what strategy you use when you want to block any push/merge to master when pipeline fails.
I mean, I have a project with everything configured and correct, but if someone with DEVELOPER access level does the steps below, he/she will be able to merge into master without pipeline had been ran.

creates a branch

adds a line like this only: master in .gitlab-ci.yml

commits this change

push the local branch to the remote

creates a merge request with that last commit

In this scenario, MERGE button will be available because in .gitlab-ci.yml, he/she said that pipeline only will be run in master branch, right?
So, in this scenario, someone got the rights fooling admin rules that says “Only allow merge requests to be merged if the pipeline succeeds”, but pipeline did not succeed!!! It didn’t even ran.